[Box-Admins] Access to the new server(s)

Chris Muller asqueaker at gmail.com
Thu Sep 29 02:53:43 UTC 2016 

Hi Dave, I think the first command establishes the tunnel to a port on
your localhost.

So enter the last command in a separate terminal window on your
machine instead of in the tunneling window, which does not accept
commands.

On Wed, Sep 28, 2016 at 6:53 PM, David T. Lewis <lewis at mail.msen.com> wrote:
> Thanks Tobias,
>
> I am not able to connect with variant (1). Probably I am doing something wrong,
> as I have little experience with ssh tunneling. This is what I see:
>
>   lewis at lewis-Gazelle-Pro:~$ ssh -p1022 -lssh 104.130.6.82
>   restrict shell, no commands #
>   restrict shell, no commands # ssh -AN -L22221:10.176.197.150:22 -p1022 -lssh 104.130.6.82
>   restrict shell, no commands # ssh -ldavidlewis -p22221 localhost
>   restrict shell, no commands # ls
>   restrict shell, no commands #
>
> Can you tell what I am doing wrong?
>
> Thanks,
> Dave
>
>
>
> On Wed, Sep 28, 2016 at 11:31:36AM +0200, Tobias Pape wrote:
>> Dear all
>>
>> [ACTIONS AT END]
>>
>> with retroactive blessing of Levente, I have now prepared eight VMs on Rackspace.
>> Here's the overview:
>>
>> =======================================================================================================================
>> Name  Name (ext)      intended use    Unix Users      Public Ports    Private Ports   Public IPv4     Private IPv4
>> -----------------------------------------------------------------------------------------------------------------------
>> ian   ssh.squeak.org  ssh-gateway     ssh             1022            22              104.130.6.82    10.208.225.29
>> alan  *.squeak.org    webserver       webteam         80, 443         22              104.239.229.92  10.176.200.8
>> adele lists....       mailinglists    (tbd)           25, 587, 465    22, 8080        162.242.237.43  10.208.160.56
>> andreas       --------        source.squeak   chrismuller*    --------        22, 8080        irrelevant      10.208.161.222
>> dan   --------        squeaksource    davidlewis*     --------        22, 8080        irrelevant      10.176.197.150
>> ted   --------        squeak wiki+map (tbd)           --------        22, 8080, 8081  irrelevant      10.176.130.111
>> david --------        jenkins         (tbd)           --------        22, 8080        irrelevant      10.208.194.45
>> scott --------        misc            (tbd)           --------        22, 8080, 8081  irrelevant      10.176.199.169
>> =======================================================================================================================
>>
>> Currently, Levente and me have sudo on all these machines. Users with * also do.
>>
>> Note that _no_ server exposes SSH on port 22 on a public IP. This is intentional to narrow attack vectors for script kiddies.
>> How to login?
>>
>> Ian is the ssh gateway so you have to connect to ian _first_ and use (1) local forwarding or (2) proxy jumping.
>> I have installed the Public keys from most of you for the 'ssh' user on ian.
>>
>> Please verify by
>>       ssh -p1022 -lssh 104.130.6.82
>> you should see
>>       restrict shell, no commands #
>> (you get out with crtl-d, ctrl-c, or killing ssh)
>>
>> How to reach the other servers? Example for 'andreas'
>>
>> variant (1):
>>       Do a local forward by
>>               ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
>>       and then
>>               ssh -lYOURNAME -p22221 localhost
>>       (-N maybe optional, but then you see 'restrict shell, no commands #')
>>
>>       Or in your .ssh/config you can put
>>
>>       Host ian.squeak.org
>>         User ssh
>>         Hostname 104.130.6.82
>>         Port 1022
>>         LocalForward 222221 10.176.200.8:22
>>
>>         Host andreas.squeak.org
>>         User YOURNAME
>>         Hostname localhost
>>         Port 222221
>>
>>       And then say 'ssh -AN ian.squeak.org' and then 'ssh andreas.squeak.org'
>>
>> variant (2):
>>       (a) You have OpenSSH >= 7.3
>>       Do a Jump with
>>               ssh -J ssh at 104.130.6.82:1022 YOURNAME at 10.176.200.8
>>
>>       Or in your .ssh/config you can put
>>
>>       Host ian.squeak.org
>>         User ssh
>>         Hostname 104.130.6.82
>>         Port 1022
>>
>>       Host andreas.squeak.org
>>         User YOURNAME
>>         Hostname 10.176.200.8
>>         ProxyJump ian.squeak.org
>>
>>       And then say 'ssh andreas.squeak.org'
>>
>>       (b) You have OpenSSH >= 5.4
>>       Do a Jump via
>>               ssh -o ProxyCommand="ssh -lssh -p1022 -W %h:%p 104.130.6.82" YOURNAME at 10.176.200.8
>>
>>       Or in your .ssh/config you can put
>>
>>       Host ian.squeak.org
>>         User ssh
>>         Hostname 104.130.6.82
>>         Port 1022
>>
>>       Host andreas.squeak.org
>>         User YOURNAME
>>         Hostname 10.176.200.8
>>         ProxyCommand ssh -W %h:%p ian.squeak.org
>>
>>       And then say 'ssh andreas.squeak.org'
>>
>>       (c) You have OpenSSH < 5.4
>>       Use variant (1)
>>
>> We will shortly start RSYNC-ing over data from box3 and box4 as well as replicatiing DNS entries before switching over.
>>
>> [ACTION REQUIRED]
>>
>> - Who needs access to which servers?
>> - Do we need Jenkins anymore?
>>
>> As always, questions appreciated.
>>
>> Best regards
>>       -Tobias
>>
>>
>>
>>
>>
>
>

More information about the Box-Admins mailing list